Microsoft Stores Windows 10 Encryption Keys in the Cloud

Windows 10 devices have built-in disk encryption that is turned on out of the box, offering additional data protection, but the recovery keys are automatically copied to Microsoft servers when users login using their Microsoft accounts.

The disk encryption is meant to offer an extra layer of protection in the event that the device is lost or stolen, since access to the encrypted data is provided only when both the encryption key and the disk are in user’s hands. However, with the keys stored on Microsoft’s servers, an attacker could grab the key and decrypt the data, should they have physical access to the drive.

Although this is not a common scenario, the issue is that users do not have control over what happens with their encryption keys when they are stored on Microsoft’s servers. Should the tech company’s systems be compromised, chances are that the encryption keys would fall into the wrong hands, as a recent article on The Intercept suggests.

However, the fact that Microsoft creates a backup copy of the recovery key has its own perks, the most important being that it is retrievable even if the encrypted device is broken. Users are provided with the option to sign into their Microsoft accounts and regain access to their data by grabbing the key from the cloud, which would not be possible without the backup.

Furthermore, Microsoft provides users with the ability to delete recovery keys from the OneDrive website.

As long as users have a new Windows 10 device, the encryption key is automatically saved in the cloud when they first login with a Microsoft account, regardless of whether they run Windows Home, Pro, or Enterprise. What’s more, Windows Home devices do not allow users to opt out of having the encryption keys uploaded, while Windows Pro and Enterprise users can do so only after having it uploaded on the first login, and only if they choose to use BitLocker instead.

BitLocker, also designed for disk-encryption purposes, asks users whether they want the encryption key stored locally or not, and offers various other options as well. Regardless, a new device will automatically send the encryption key to Microsoft when the user sets it up for the first time, though only when a Microsoft account is used – disk encryption is not available for local only accounts.

It appears that Microsoft decided to automatically backup encryption keys to the cloud to ensure that users don’t lose their data if the device enters recovery mode and they do not have access to the recovery key. However, without physical access to the hard drive the recovery key is useless, the company suggests.

“When a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key. The recovery key requires physical access to the user device and is not useful without it,” a Microsoft spokesperson told SecurityWeek.

Regardless of Microsoft’s intentions, the encryption key storage could be considered risky or flawed, but Craig Young, a Cybersecurity Researcher for Tripwire, explains that it is important to consider the risk in context.

“While this key backup behavior certainly presents an increased risk that someone may be able to bypass advertised encryption protections, it is important to consider the risk in context,” Young told SecurityWeek. “In order for this ‘vulnerability’ to be exploited, an attacker must be able to both gain access to the backed up key and gain physical access to the encrypted storage.”

“There is essentially an infinitely long list of easier ways for an intruder to bypass disk encryption and retrieve data from a protected device by attacking the end point,” he added. “It is important to remember that most of the protections afforded by disk encryption end are not applicable after a system has been booted and the file system has been unlocked. An adversary sophisticated enough to gain unauthorized access to Microsoft’s key backups is almost certainly sophisticated enough to get malware installed onto the running system.”

Last month, researcher Ian Haken demonstrated that BitLocker can be bypassed with the use of simple tools, provided that the target system lacks the most recent security patches from Microsoft.

Users looking for additional control on their encryption keys can head to the aforementioned website and delete them, thus ensuring that an attacker cannot access their data even if the Microsoft account is compromised. However, they should consider creating a backup copy, preferably a hard copy, to make sure that their data is not lost if the device breaks.

Additionally, Windows Pro and Enterprise users can generate new encryption keys that are never sent to Microsoft. For that, they should turn BitLocker off, which will decrypt the disk, and on again, at which point they will be asked how they want to backup the recovery key. The process offers the option to save the key to a file, which can be placed on a USB drive, as well as to save it to the Microsoft account, which means that it will be sent once again to Microsoft’s servers.